Sessions mit Multipath-Routing

[ajl119]

Hallo, ist es möglich, konfigurieren Sie die Eigenschaften des Multi-Pfad Routing?

Z.B. Wir haben zwei Standardgateways (beide mit gleicher Gewichtung) und alle Werke. Allerdings bin ich immer Beschwerden, dass die Dienstleistungen der anhaltenden Notwendigkeit Sessions (zB VNC & SSH-Sitzungen) werden begann nach ein paar Minuten.

Ist es möglich, die Tagung eine Lebensdauer?

Z.B. Die Load-Balancer wählt eine Route / Weg, die TCP / UDP-Sitzung kommt, dann bleibt Verkehrsaufkommen auf dieser Strecke / Pfad für die Lebensdauer der Sitzung.
Derzeit; Die Load Balancer wählt eine Route / Weg, die TCP / UDP-Sitzung kommt, nach ein paar Minuten ist der Routing-Änderungen der Route / Pfad und die Session stirbt

Vielen Dank im Voraus

---------------------------------

Hello, is it possible to configure the properties of the multi-path routing?

E.g. We have two default gateways (Both with an equal weighting) and all works. However I am getting complaints that services which need persistent sessions (E.g. VNC & SSH sessions) are being kicked off after a couple of minutes.

Is it possible to specify the session life time?

E.g. The Load balancer chooses a route/path, the TCP/UDP session comes up, traffic then stays on that route/path for the life time of the session.
Currently; The Load balancer chooses a route/path, the TCP/UDP session comes up, after a few minutes the routing changes the route/path and the session dies

Thanks in advance

[carsten]

Hi,

with R3 you can bind FW-Rules on an special Interface.

Firewall -> Rules: There is a new Option "Interface", set the Interface for the given services an all traffic will run over the interface .

[ajl119]

Hello, but this goes against the whole point of multi path routing!

I don't want to bind to to one interface, I want sessions to run over all the interfaces, however after further investigations I have found that lots of things are dying out.

E.g. All PPTP VPN's, VNC sessions, Remote Desktop, Putty/SSH connections are all dieing randomly. To fix I would have to bind every service to one interface rendering multi path routing pointless

There must be a way I can configure the TCP session timeout on idle before the load balancing are routes the traffic?

[ajl119]

Hallo,
Was Load-Balancing Umsetzung bedeutet Securepoint Verwendung als ich weiß, für eine Tatsache, dass können Sie die Session Timeout-Zeit, auch wenn es erfordert eine harte kodiert ändern.

Ohne die Fähigkeit zur Steigerung der Session-Timeout Load-Balancing ist nutzlos für uns als eine Verbindung, die nicht eine Web-Seite Anfrage erhält sank nach einer kurzen Zeit der Inaktivität: (

Bitte helfen Sie müssen sich hierbei um ein echtes Einschränkung: (
Wir kauften Securepoint ausschließlich für seine Fähigkeit, Cluster und Load-Balancing über mehr als ein Internet-Anschluss, wie wir brauchen die Redundanz und Performance-Gewinn.
Verbindliche Dienstleistungen an verschiedenen Schnittstellen ist nicht akzeptabel, dass unsere Nutzer und mein Chef: (

Vielen Dank für Ihre Zeit.

--------------------

Hello,
What load balancing implementation does Securepoint use as I know for a fact that you can configure the session timeout period even if it requires a hard coded change.

Without being able to increase the session timeout load balancing is useless for us as any connection which is not a web page request gets dropped after a short period of inactivity

Please help as you must agree this is a real limitation
We bought Securepoint solely for it's ability to cluster and provide load balancing over more than one Internet connection as we need the redundancy and performance gain.
Binding services to different interfaces is NOT acceptable to our users and my boss

Thank you for your time.

[carsten]

Hi,

you can change the connection time, but I don't know the correct parameter, I will have a look on monday.

[ajl119]

Thank you very much, I do really appreciate your time on this.

I do understand that increasing this value will significantly raise the amount of memory and CPU that will be needed to keep track of all the live and expiring sessions, but this is critical for us as we cannot accept connections to be dieing within minutes of inactivity.

Thanks.

------

Vielen Dank, bin ich wirklich zu schätzen Ihre Zeit zu diesem Thema.

Ich verstehe, dass eine Erhöhung dieses Wertes wird deutlich erhöhen die Menge an Speicher und CPU, werden müssen, damit sich alle kennen die Live-Sessions und auslaufenden, aber dies ist von entscheidender Bedeutung für uns, da wir nicht akzeptieren können Verbindungen zu sterben innerhalb weniger Minuten der Inaktivität.

Danke.

[carsten]

Hi,

I thought that the connection time runs out and a new connection would be established over the other route. But my ssh session will be kept for 5 days, so that couldn't be the error.

Do you have any VPN running, it could happen, if a new VPN-Connection had been established, that the routing tables was rewritten. If that happen, all information over the connection routing will be lost.

It's just a guess!

[ajl119]

Just to provide some info on our setup;

We do not have any VPN's configured on the Securepoint firewall.
We have a LAN interface(192.168.200.5/24) and 2 WAN interfaces(192.168.214.2/24 & 192.168.215.2/24).
The are two separate DSL routers, each attached to each of the WAN ports (192.168.214.1/24 & 192.168.215.1/24 respectively).
We do not have any DSL-Interfaces setup in Securepoint, only Ethernet interfaces.

We have two default gateways defined; 192.168.214.1 and 192.168.215.1, each with a weighting of '1'.

We have a firewall rule set to allow the entire LAN network in the LAN sector, outbound 'any' access to a computer group which contains two objects, a 0/0 network in the WAN1 sector and 0/0 network in the WAN2 sector.

We are performing outbound Hide NAT on both of the outbound WAN port's. NB: No static NAT defined anywhere.
If the traffic goes out via WAN1, it is NAT'ed to the WAN1 source IP '192.168.214.1'.
If the traffic goes out via WAN2, it is NAT'ed to the WAN2 source IP '192.168.215.1'.

If we make an outbound connection from an internal workstation, the connection works perfectly at first (E.g. a PPTP VPN, SSH or VNC connection etc). However after a couple of minutes of inactivity on the session, the PPTP VPN tunnel gets disconnected.


Note: If I remove the second default gateway so traffic can only go over WAN1, the sessions never die and always stay connected.


Once the session is established via WAN1, the source IP of WAN1/'Public IP on WAN1 modem' will be used by the remote end to manage the session.
If the traffic gets redirected via WAN2 instead after a while, the session will die as it will now originate with the source IP of WAN2/'Public IP on WAN2 modem'.


I hope this helps to make our setup a little clearer.
NB: I am aware we are performing double NAT, this is by design.

You mentioned that your SSH session did not die after 5 days. Do you know if your putty/SSH client or server is setup to maintain a keep alive as this would keep the session active and stay running over only one WAN link?

Thank you very much for your time.

How can I change the 'connection time' to see if this helps?

[carsten]

OK, thanks for the information, tomorrow I will test it.

Sorry, but I don't know exactly which parameter will fit together. You can find the options unter root: /proc/sys/net/netfilter

Try "echo 6666 > nf_conntrack_max" to change the values.

Over "cat /proc/net/ip_conntrack" you can check the results

[carsten]

To restart the FW will discard all changes

[ajl119]

Hi Carsten,
Thanks for your reply. Incidentally we have a lot of sessions running on our network as we have a team of developers and a software support team so we have many many more sessions running than most people due to the type of applications we use.

I am sure i read that if you change nf_conntrack_max, you also have to change nf_conntrack_buckets to the same value to avoid too many lookups.

Also what about nf_conntrack_tcp_timeout_*

If there a way I can configure and play with these values such that they are persistent?
Thank you again for your time.
Andy.

[ajl119]

Hallo, ich habe bestätigt, das Problem mit der Umsetzung wird securepoint unvollständig.

Dies ist ein Beispiel für unsere genaue Problem;
http://linux.derkeiler.com/Newsgroups/c ... 00045.html
http://www.mail-archive.com/lartc @ mailman.ds9a.nl/msg15079.html

Dieses Problem scheint zu sein, die im Zusammenhang mit NAT-fähigen auf der Outbound-Schnittstellen.

Vielen Dank für Ihre Zeit. Hope this helps.

----

Hello, I have confirmed the issue is with the securepoint implementation being incomplete.

This is an example of our exact problem;
http://linux.derkeiler.com/Newsgroups/c ... 00045.html
http://www.mail-archive.com/lartc@mailm ... 15079.html

This issue seems to be related to having NAT enabled on the outbound interfaces.

Thanks for your time. Hope this helps.

[carsten]

Hallo,

thanks for your information. Now I can replicate the error, somtimes the connection changes the route and will be dropped by the firewall.

I reported this error to our developers, I hope they'll find a solution quickly.

Reagrds
Carsten

[ajl119]

Wonderful news.
Please do forward the links in my previous post to the developers as the links discuss in detail the exact changes needed to fix this.

Thank you very much

[carsten]

Hi,

we need your configuration to check, if anything configured correct. Please send it to support [at) securepoint.de.

[ajl119]

OK thanks, I will have to wait until we are out of business hours to be able to change the passwords etc before doing a configuration export for you. As soon as I have it I will email it.

Would be really good if you could have a check through everything encase I have made any bad design decisions.

[carsten]

Hi,

you don't need to wait.

- Change the passwords
- Save as "sec_export"
- Load your old config
- Export sec_export and send it to us
- Delete sec_export

With the correct entrys a rdp-session will be reopend if it changes the route. No problem, now I'm testing it on an ssh-session.

[ajl119]

Email sent.
password for encrypted zip file containing configuration is monitor

[ajl119]

PS: Yes you are right, RDP will cope with the session dying, but only because RDP supports automatic reconnects and creates a new session without user intervention.

A better example of the problem can be seen with SSH (putty) or VNC sessions to devices on the Internet.

[ajl119]

Hello, please do let me know if you have received our configuration OK and you have been able to access it?
If you have any problems let me know and i will provide another.

[carsten]

Hi,

there was a lot of to do the last days and now I found out that I didn't get your config.

With ssh the session always dies if the route changes.

Can you set up a keep alive request for the connection, I think this should hold the session. Under putty it is possible.

[ajl119]

Hello, I'm sorry to sound like a nag, but this really isn't good enough.

These are just quick and dirty workarounds you are suggesting! I should not have to maintain the sessions from the client end, the intermediate routers should be capable of holding the session.
And regardless we use a lot more technologies than just RDP and SSH which don't have the facility for sending keep alive's.

These links quite clearly show a technical example of the problem and what had to be done it fix it;
http://linux.derkeiler.com/Newsgroups/c ... 00045.html
http://www.mail-archive.com/lartc@mailm ... 15079.html

Please implement the fix in the Securepoint firewall. Please.

PS. I have sent my configuration again to support@securepoint.de same password as detailed 4 posts above
Thank you for your time on this.

[ajl119]

PS. I sent the configuration file as a zip file, does you mail server block password protected ZIP files?

[carsten]

Hi, yes you a right, can you send it as 7zip (.7z)

[ajl119]

Hello, have you received my email OK?
If not I will upload the configuration to a file share site.